我正在尝试在基于云的 VPS 上设置递归 DNS 服务器。如果我设置 dnssec 验证 否它工作正常,但如果我设置dnssec 验证自动我从 dig 获得状态:SERVFAIL。但是,当我使用确切地相同的配置文件,它适用于dnssec 验证自动。
两者都在 Ubuntu 18.04.3 上运行 BIND 9.11.3。我已将 named.conf.options 精简为:
options {
directory "/var/cache/bind";
recursion yes;
allow-transfer { none; };
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on { any; };
listen-on-v6 { none; };
};
named.conf.local 为空,其他均为默认设置。在工作服务器上,当我发出挖掘 apple.com @localhost我得到:
; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> apple.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7616
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f987cd320c5efed7576fef585da668961c4f29e79a6cfa7b (good)
;; QUESTION SECTION:
;apple.com. IN A
;; ANSWER SECTION:
apple.com. 3600 IN A 17.142.160.59
apple.com. 3600 IN A 17.178.96.59
apple.com. 3600 IN A 17.172.224.47
;; AUTHORITY SECTION:
apple.com. 172800 IN NS c.ns.apple.com.
apple.com. 172800 IN NS b.ns.apple.com.
apple.com. 172800 IN NS d.ns.apple.com.
apple.com. 172800 IN NS a.ns.apple.com.
;; Query time: 401 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 15 19:47:18 CDT 2019
;; MSG SIZE rcvd: 181
但是在出现故障的服务器上使用相同的命令我得到:
; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> apple.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50881
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 774ab4aac2a012bade665c985da668b77508d1e7bdf048f2 (good)
;; QUESTION SECTION:
;apple.com. IN A
;; Query time: 4000 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 15 19:47:51 CDT 2019
;; MSG SIZE rcvd: 66
在故障服务器的 /var/log/syslog 中我看到:
Oct 15 20:01:17 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:17 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 199.7.91.13#53
Oct 15 20:01:17 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:17 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 199.7.83.42#53
Oct 15 20:01:17 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:17 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 202.12.27.33#53
Oct 15 20:01:17 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:17 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 192.5.5.241#53
Oct 15 20:01:17 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:17 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 192.58.128.30#53
Oct 15 20:01:18 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:18 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 192.36.148.17#53
Oct 15 20:01:18 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:18 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 198.41.0.4#53
Oct 15 20:01:18 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:18 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 198.97.190.53#53
Oct 15 20:01:18 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:18 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 193.0.14.129#53
Oct 15 20:01:18 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:18 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 192.33.4.12#53
Oct 15 20:01:18 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:18 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 192.112.36.4#53
Oct 15 20:01:18 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:18 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 192.203.230.10#53
Oct 15 20:01:18 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:18 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 199.9.14.201#53
如果我修改配置说dnssec 验证否;然后故障的服务器开始工作。
关于如何开始调试这个有什么想法吗?
编辑:我已经验证(使用 md5sum) /etc/bind/bind.keys 在两个服务器上完全相同。
EDIT2:打开查询日志后,我得到了以下额外的日志行:
[...] query failed (SERVFAIL) for apple.com/IN/A at ../../../bin/named/query.c:8402